I have a hack to do this - <A HREF="http://www.amdragon.com/cgi-bin/wwwthreads/showthreaded.pl?Cat=&Board=hack&Number=1191&page=2&view=collapsed&sb=5" target="_new">Send this Post to a Friend</A> - but it hasn't been updated for 5.1 yet.
I second that, Scream. That one's a good one. <img border="0" title="" alt="[Wink]" src="images/icons/wink.gif" /> - Six dave@mythprod.com mYth productions
Just a note that this feature, if added to the main tree (and not just a hack-in like Eileen's code), should DEFINITELY have some config options included to disable it for those of us who don't want to allow it to be used. (falls into the "abuse potential" category too easily... add a spam-like post, feed a bunch of addresses to the "mail this to a friend" URL, and all of a sudden, you're being used as a spam source. No thanks.
Well, obviously the send page should not just send the page but also a message explaining why you have received it. You cant send to more than one at a time, therefore avoiding spam. Another step could be to only show the send option to those who are logged in. And maybe even set the reply address to the one who has sent the message, so no spam could really be involved.
By the way, I would give this feature priority over the print button that Scream has said wants to implement.
I wouldn't want it for only people who are logged in. Some people and I already e-mail each other links to posts and I only do that when they're not online cause other wise I'd IM them.
True, even though I suggested that, I think it should be optional to limit it or not to members. Personally, I am not paranoid about it, and if a message is there, explaining why you have received it, I would allow everyone to send page. It is a huge, no, not huge, HUGE way of promoting your page, letting other happy visitors do so for you.
Well, obviously the send page should not just send the page but also a message explaining why you have received it.
From a spam standpoint, irrelevant.
You cant send to more than one at a time, therefore avoiding spam.
As evidenced before. An LWP perl script which called the appropriate URL with the appropriate form values is a no-brainer.
Another step could be to only show the send option to those who are logged in.
... and adding an appropriate cookie to such LWP script requires an additional 2 lines of code.
And maybe even set the reply address to the one who has sent the message, so no spam could really be involved.
... completing the illusion for the spammer. It comes "from" them (so they'll get any replies, yayyyy), and the w3t site looks "misconfigured" since it allowed someone to create a post and spam it out to (hundreds/thousands/millions){pick-one} of users who didn't ask for it, but whose addresses were included in spammer's LWP script.
Again -- if this is included, it NEEDS to be capable of being disabled.
OK, so some like you will not want it. Should be able to disable it then.
I would be really surprised at anyone trying to spam through a forum. Come on... there are easier ways of doing so... It is not worth the trouble.
... completing the illusion for the spammer. It comes "from" them (so they'll get any replies, yayyyy), and the w3t site looks "misconfigured" since it allowed someone to create a post and spam it out to (hundreds/thousands/millions){pick-one} of users who didn't ask for it, but whose addresses were included in spammer's LWP script.
Man... whoever goes through that trouble to spam, what was it, hundreds/thousands/millions trough a forum is a really weird person with no life to live. Are you saying he will be filling in email addresses one by one (only send to one option...) for hundreds, thousands, and millions of people he wants to spam? If he has so many email addresses I really doubt he does not know of a better way to spam. There are tools out there that can send thousands of messages in minutes, doing so through a form like this one would just about kill you if you even tried more than 20. In any case, I guess you could not permit more than 3 pages to be sent per day, but I really doubt that would be needed... as I say, I cant imagine one with such a bad life.
I would be really surprised at anyone trying to spam through a forum. Come on... there are easier ways of doing so... It is not worth the trouble.
Every conceivable way of obfuscating the trail between the spammer and the recipient works to the spammer's advantage.
Are you saying he will be filling in email addresses one by one (only send to one option...) for hundreds, thousands, and millions of people he wants to spam?
No, he'd have purchased a list somewhere, probably on CD-ROM, containing all those addresses "pre-typed", and probably paid around $100 or so for the list.
If he has so many email addresses I really doubt he does not know of a better way to spam.
Actually, there IS no better way to spam. The mail-header trail from the recipient back to the spammer ends at the w3t site (since it originated the e-mail) .. again, any obfuscation of the sender works to the spammer's advantage.
as I say, I cant imagine one with such a bad life.
... spammers suck. Our opinion of them will not necessarily change that. <img border="0" title="" alt="[Smile]" src="images/icons/smile.gif" />
No, he'd have purchased a list somewhere, probably on CD-ROM, containing all those addresses "pre-typed", and probably paid around $100 or so for the list.
I would take my chances, it is a great feature that can be very helpful. It would require really bad luck to have one idiot spend $100 on an email list -with no email program! and spend a couple months (it would take really long, +no sleep) spamming through your site. Stupid. Sure it can happen, but thats like not going out for a walk because a car might crash into you -there is a chance a drunken driver might get you, you know...
Haha! I could give you some other points, but I see this would be a never ending thread as I doubt you will change your mind on it. <img border="0" title="" alt="[Smile]" src="images/icons/smile.gif" />
You must have encountered some really unpleasant people to have become so paranoid. Do you by any chance run 'adult' sites? <img border="0" title="" alt="[Smile]" src="images/icons/smile.gif" />
As you probably know, I run a webhosting company (though the site isn't 100% done yet). I've actually been doing webhosting for several years now. One of the things I have to worry about, is what if one of my users sends a few hundred, thousand, million messages from his account or pointing to his site? There are lots of people who use throwaway accounts, i.e. they sign up with an ISP or IPP (I'm in the latter) with fake info, send out their spam, then disappear. In the meantime, the ISP/IPP is left with a HUGE amount of messages from angry users compaining that one of your customers is spamming them. Also, if one of your users sends spam from your network, your upstream provider has the right to terminate your connection, thereby making ALL of your users very unhappy. This could make a small operation go bankrupt very quick. Imagine having to refund that month's charges to all your users, and losing who knows how many of them? And who among them will recommend you to a friend?
So we tighten up security. Close up out SMTP ports to outsiders. Restrict how "authorized" users can send mail (limit on messages sent in a certain amount of time, limit the number of CC addresses, etc.). Also have you noticed how it's hard to find a host that'll let you run your own mailing list? Or they'll limit the amount of addresses you can send it to.
Anyways back on track a bit...I've checked out all these tools. Even got hold of one of those lists. I doubt half of the addresses were even valid. There's lists of open SMTP servers, so you can send spam and it won't originate from your ISP. There's bulk emailing programs that'll make it look as though the mail hopped between servers it didn't, make it look like the email originated from the target's own PC even! These guys will use every trick in the book. If they notice there's a way to spam using WWWThreads....they'll jump right on it.
Not trying to scare anyone off, just trying to justify these people's fears. It's not a big deal to most all of you, but to those of us who may be vulnerable or who've had this happen before...we like to be extra careful.
Just FYI I'd probably enable this feature myself <img border="0" title="" alt="[Smile]" src="images/icons/smile.gif" />
I've just worked my way through all the erstwhile offenders and I'm happy to report there isn't an errant orange icon in sight. Well done and thank you. <img border="0" title="" alt="[Smile]" src="images/icons/smile.gif" />
Good grief! Those are damn fine reasons for being wary. Maybe I'll add a further restriction to my hack that not only restricts it to members but also is further restrained by another hack that would make a probationary period obligatory before becoming a fully fledged member during which time all posts are monitored and no send2friend is allowed. Not perfect but every little helps...
What if, instead of sending the message from the W3T server with sendmail we used the user's own email instead. i.e. take the target email address and other info from the user and then create a link for them like: mailto:target@wherever.com?subject=interesting&body=info According to my copy of Web Design in a Nutshell, p. 143, "as of this writing, these additional functions are only supported by Netscape 4.0" so maybe this isn't an option for compatibility reasons (or maybe things have changed since this book was written). If this can be made to work it seems like an ideal solution - take inputs from the user and create a link/button which will pop it up into their mail program all ready for them to send (and edit if they want to add commentary).
Bill Dimm, <A HREF="http://MagPortal.com/" target="_new">MagPortal.com</A> - <font color=red>free</font color=red> feeds for your site.
But then you run into the same kind of debate as the "well why not use javascript, EVERYONE that matters uses javascript, and cookies too, and..." This kind of solution would work fine for me, and for most users. But what about hotmail users, or maybe even AOL'ers (I haven't tried clicking an email link in AOL/Compuserve, but I assume if not done with their own browser, it wouldn't start AOL's email program). If it's done this way, we need to just have them click a link, and have most of the info automatically put into their email program. I used to hate it when I was on a college PC, I'd get a form 100% filled out and when I click submit, Netscape Mail would pop-up. Oh I'd get SOOO ticked!
I'll see what I can do myself to make a link like this work. I already know how to make the mailto: part work with entering the person's email address, subject, and even the message itself...just need to get WWWThreads to pull that info somehow.
Most people are suspitious about anything that requires your own email program, furthermore, they will probably get a bad impression from the site´s "high" technology that needs you to open your own browser.
I think that making the return address the one of who sends the page, that is, of the member (remember, they need a valid email to sign up) should be fine. If you ever want to complain about spam, you generally reply back. In this case, to the spammer.
And what kind of spam can you really make through a forum? The whole thing sounds stupid to me. So in the extreme case that you are "spammed", you check the board and reply saying you hate this "company" that has spammed you telling everybody what they´ve done to you, and so on.... at a forum! Who wants to send anyone to a forum through spam where all your victims can gather and get on you... If you want to do spam, spamming through a forum seems really stupid to me.
Plus, if you have moderators at your site making sure there is no "spam messages" in it, nobody will be able to send them cause they get deleted.
I've become that paranoid, because at my <A HREF="http://www.yahoo.com/" target="_new">day job</A>, you really need to be (and you see it, every single day) <img border="0" title="" alt="[Smile]" src="images/icons/smile.gif" />
I think that making the return address the one of who sends the page, that is, of the member (remember, they need a valid email to sign up) should be fine.
Two points to consider:
1.) Many sites reject mail from, say "username@aol.com" if it doesn't actually come from aol.com (since a lot of spammers forge their e-mail addresses and send through some relay in Korea)
2.) Your configuration may require a valid e-mail to sign up, but if you're allowing people to set their own password, their "valid" e-mail may be "president@whitehouse.gov" for all you know.
And what kind of spam can you really make through a forum? The whole thing sounds stupid to me.
OK, walk ya through it step-by-step.
1.) Create account on w3t 2.) Create post "Make Money Fast", in the body include details. 3.) Click on "mail this post to a friend." 4.) note the URL 5.) Enter URL into your perl script 6.) Feed your perl script the list of e-mail addresses to spam. 7.) Those e-mail addresses will "kindly" be fed your "Make Money Fast" post (you don't actually care if they "visit" the post or not, you fed them the message itself which is what counts), with the w3t board (which has your throwaway address in the from headers) obfuscating how to track you down.
Plus, if you have moderators at your site making sure there is no "spam messages" in it, ...
This is only relevant if (a) every board is moderated (many many w3t sites have at least one unmoderated board), or (b) you have moderators on 24x7x365 who can immediately nip the post in the bud. Not too likely.
Some of us do this "web thing" for a living, and while you may not yet have encountered the sort of scumbag who will do this, they DO exist, and if the vulnerability exists, they'll eventually find and exploit it.
Any system can be abused, it's all a matter of time and determination - just ask the microsoft folks. heh
But I agree with having a probationary period, I see that as being the easiest and most effective (efficient?) way of cutting down on the chances of spam abuse via your site. - Six dave@mythprod.com mYth productions
Working with locks, I had a co-worker that had three different types of locks on his door, as well as a home security system, motion detectors, probably some other stuff he wouldn't tell me about. He kept learning (job-related purposes I like to think... heh) how to defeat the systems he had, so when he would, he'd buy something new. Not knowing official statistics, I'd bet most homes, apartments, townhomes have standard tumbler locks (most/all deadbolts are tumblers). They are easy to scrub. The info is available on the Internet. There are battery-operated devices that will do it for you, and they're (retail) just over $100, probably -much- less if bought over the Internet or through "associates". Most people feel safe in having standard locks because they frankly aren't thieves... they don't know the inner workings of the devices they have, they simply know not to lock their keys inside their vehicle (another easily-picked potential victim).
The point is, you're absolutely right about the potential for abuse. What others are basically telling you that, not that you're wrong, but that the chances of this happening are so slim (or so slim in their eyes, not yours so much), that it's not even worth worrying about so much, just like it's not worth worrying about your deadbolts getting picked (which statistically speaking, they may be right).
I also agree with you that this option, which if implemented (and I definitely want the option), should be an option to disable. Even though the chances may not be high of this happening, the damage/trouble it could cause is worth a little paranoia (Was that a footstep down the hall?). In addition to it being a capable of being disabled, there probably should be some sort of configurable time limit on how long a user must be a "user" before being allowed to use that feature. Maybe following the title code and after the person is no longer a "stranger" than he/she can use it.
It's worth the trouble in my opinion. That and the newsflash thing really helps create community and traffic and interesting conversations and communication.
My .02. <img border="0" title="" alt="[Wink]" src="images/icons/wink.gif" />
Even if they do subscribe with a real email address, that can be quickly changed in the profile, and I don't recall seeing anything that tracks the original email address signed up with... Two things that I think that can be done here.. First off, and most importantly, make sure the mailpost script checks the referer at a minium. A second thing you could do is make the mail post a "feature" for registered users only. Then, when it happens, you will have their IP address logged from when they signed up. Also, with that you could probably require the cookie authentication before allowing the mail to pass through. I'm guessing these would solve most of the problems. While I know that IP's can be spoofed and referers can be forged, but you have at least put up some protections... If you were really concerned about it, you could probably set up some sort of session ticket table and when the mailpost.pl form is started, it creates a session ticket in the table, and then when it's sent, it deletes it, that way when they try and pipe it through a perl script, there are no tickets, and therefore the mail should fail.
I just my version of mailpost and notice that the referer check isn't in it yet.. I haven't tried this yet, (it's too late here) but I'm guessing if you add something like this (from addpost) w3t::check_refer($Cat); to mailpost right after w3t::db_connect(); you can probably take care of that to start...
Also keep in mind that for most people that get attacked this way, it's probably going to bring the server down anyways... or at the very least put a noticeable load on the machine.
Even if they do subscribe with a real email address, that can be quickly changed in the profile, and I don't recall seeing anything that tracks the original email address signed up with
[/quote]
Actually, the original email address is kept in the U_RegEmail field in the database, but this doesn't really help if that email address is on hotmail, etc.
For what it's worth, I think it's good that Dredd is bringing these points up (paranoid or not) since it is causing people to think hard about the issues and making them aware of the dangers if they decide to use such a feature. It's easy to say "nobody is going to bother writing a perl script which fakes the referrer and sends the cookie and..." but if it is possible to do it, there is a risk that one jerk will spend the time doing it and then post the script somewhere. Then anyone (even with no technical skills) would be able to exploit a huge number of W3T sites using the feature. Something that seems highly unlikely could get ugly very fast.
Bill Dimm, <A HREF="http://MagPortal.com/" target="_new">MagPortal.com</A> - <font color=red>free</font color=red> feeds for your site.
So what would you all say to one of my suggestions of limiting sent pages by, say 3 messages per day? Either by IP or by member. Mateo Byler <A HREF="http://crucedecaminos.com" target="_new">CruceDeCaminos.com</A>
Limiting by IP: will screw AOL and other services which use proxies.
Limiting by member: will simply encourage the script to be written to also randomly generate accounts to USE to forward the message.
Limiting by the post itself: will lead to either automatically reposting the spam to the website as necessary, as well as potentially making the feature useless to people who want to use it for legitimate needs.
Sure you could always find a work around to hack the security features in the forum. But wouldnt it be easier to just move on to a different forum system -different site, to hack and spam through?
I see the best security feature if this send page thing ever gets in (Scream has never said it will) would be to disable it. I wouldnt cause I dont consider my site in that much potential danger, but I am sure you would, haha! <img border="0" title="" alt="[Smile]" src="images/icons/smile.gif" /> That is... unless someone comes with the most unthinkable solution... I doubt it, though...
You're right that a spammer might "go elsewhere", but the DoS exploit is so easily coded that all it takes is one to do it, and release the code on a web site, or on BugTraq (heck, being a BugTraq contributor, I'd even have an ethical obligation to write the exploit myself and release it).
I don't disagree that 99% of the sites that enabled this feature would not be exploited. The trick is to (a) minimize the usability of it for exploits, and (b) to allow the owner to remove/disable the feature (and its associated exploits) at their discretion (and to have "disabled" be the default value... You don't have exploitable code enabled by default).
Eileen, Thank you for your reply. I'm using ver 4.3. Is it safe to assume that your hack works for that version?
Also, to every one that participated in this discussion, thanks for your input. Although I'm surprised at the amount of concern, I'm glad the topic generated thoughtful discourse.
4.3 was an awfully long time ago - I can't even remember what it looked like. <img border="0" title="" alt="[Roll Eyes]" src="images/icons/rolleyes.gif" /> Why don't you upgrade?
